CVE-2025-55182: Critical Vulnerability, React2Shell, Allows for Unauthenticated RCE 

Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. 

KEY TAKEAWAYS

Critical vulnerability discovered on December 3, 2025 in React that could allow for unauthenticated remote code execution. 
Cybereason experts have dubbed this vulnerability as trivial to exploit. 
Issue allows the server to incorrectly trust user-supplied identifiers and fails to verify. 
Initial working proof of concept is public and attributed to Chinese threat actors. 
If server was exposed to public internet prior to patch release date (December 3, 2025), investigate for signs of compromise. 
Update to latest patched versions of React, and review advisory for additional recommendations.  BlogRead More